Pentest Authorization Letter Template + Legal Requirements Explained
Sonali Sood
Founding GTM, CodeAnt AI
In 2018, a penetration testing firm was hired by a regional bank to conduct a physical and network security assessment. The engagement was legitimate. The scope was approved.
On day two, the testers were detained by law enforcement after being reported as suspicious actors attempting to access a restricted area. What resolved the situation wasn’t intent. It was documentation. A signed authorization letter that clearly listed:
the individuals conducting the test
the facilities and systems in scope
the approved testing activities
the executive who authorized the engagement
Within an hour, the testers were released. Without that letter, they would have faced the same legal consequences as attackers. This is not an edge case. Every penetration test, whether it involves:
applications
networks
physical access
or social engineering
operates in a legal gray area. That gray area is resolved by one thing: explicit, written authorization.
Laws like the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and similar regulations globally all depend on a single condition: Was the access authorized? The authorization letter is what proves that it was. Beyond legal protection, this document defines how the engagement actually runs.
It answers critical operational questions:
What systems can be tested
Which techniques are permitted
Who must be notified if something breaks
What happens if a real breach is discovered
These are not administrative details. They determine whether your pentest produces actionable security findings, or turns into an incident. This guide covers everything required to create a proper authorization letter:
legal requirements
scope definition
cloud provider rules
third-party considerations
emergency procedures
and complete template language
By the end, you’ll know exactly how to create an authorization letter that protects your organization, your testers, and the engagement itself.
Part 1: The Legal Foundation: Why Authorization Letters Exist
The Computer Fraud and Abuse Act (18 U.S.C. § 1030) is the primary US federal statute governing unauthorized computer access. Section (a)(2) prohibits accessing a computer without authorization or exceeding authorized access to obtain information. Section (a)(5) prohibits knowingly causing damage to a protected computer. Both provisions apply to penetration testers who act without explicit written authorization.
The key legal principle: good intent is not a defense under CFAA. A penetration tester who genuinely believes they are authorized, based on a verbal agreement or email exchange, but lacks formal written authorization, faces the same criminal exposure as a malicious attacker. Multiple court cases have turned on exactly this point, the absence of documented authorization transformed what the defendant believed was a legitimate security engagement into a criminal act.
Action
Without Authorization
With Proper Authorization
Port scanning target systems
Potential CFAA §1030(a)(2) violation
Explicitly permitted
Attempting login with test credentials
Potential CFAA §1030(a)(2) violation
Within defined scope
Exploiting a vulnerability
CFAA §1030(a)(5)+ exposure
Within defined scope
Accessing data via exploit
CFAA §1030(a)(2) felony risk
Within defined scope
Intercepting network traffic
Wiretap Act (18 U.S.C. §2511)
Explicitly permitted
Social engineering employees
May trigger state fraud laws
Explicitly permitted
Physical security testing
Trespass / breaking & entering laws
Explicitly permitted
Jurisdiction Considerations
Penetration testing engagements rarely operate in a single legal jurisdiction. Penetration testing laws vary by geography. The same activity may be legal in one jurisdiction and illegal in another unless properly authorized.
Legal Framework by Region:
Region
Primary Law
Key Legal Risk
Authorization Requirement
United States
CFAA + state laws
Broad scope under CFAA §1030(a)(1)–(7)
Federal law covers all states if properly authorized
Must be authorized by system owner / data controller
European Union
Member state laws + GDPR
Data handling risks under GDPR Article 32
Must include data handling + minimization provisions
What Changes in Each Region
🇺🇸 United States
CFAA applies broadly to unauthorized access and system interaction
Even benign testing can trigger violations without authorization
Federal coverage simplifies multi-state engagements
🇬🇧 United Kingdom
Computer Misuse Act focuses on:
unauthorized access
unauthorized modification
Authorization must come from:
system owner
or legally responsible entity (data controller)
🇪🇺 European Union
Legal requirements vary by country
GDPR introduces additional obligations:
minimize data collection
avoid storing personal data discovered during testing
Authorization should explicitly define:
data handling
retention policies
Multi-Jurisdiction Environments
If your systems or teams span regions, complexity increases significantly.
You must:
obtain jurisdiction-specific authorization (often via local counsel)
define which law governs the engagement (choice of law clause)
document where systems are physically hosted
evaluate cross-border testing risks
Example:
EU-based tester → testing US-hosted system
US-based tester → accessing EU data
These scenarios may introduce conflicting legal obligations.
Cloud-Hosted Systems (Critical Detail)
Cloud infrastructure adds another layer of legal ambiguity. Authorization must clearly specify:
where systems are physically hosted
which jurisdiction applies
Examples:
Cloud Region
Legal Consideration
AWS us-east-1
Primarily US law (CFAA applies)
GCP europe-west1
EU laws + GDPR obligations
Multi-region deployments
Requires explicit legal clarification
Authorization is not just about permission.
It must align with:
where systems are hosted
where testers operate from
which laws apply to both
Without this clarity, a valid pentest in one jurisdiction can become a legal violation in another.
Part 2: The Parties: Who Must Sign and Why
A penetration test authorization letter is only valid if the right parties are involved. It’s not just about permission, it’s about who has the legal authority to grant it. A complete authorization involves three distinct parties.
1. The Authorizing Organization
This is the entity that owns or controls the systems being tested. Important nuance: This is not always the organization paying for the test. If systems are operated by:
subsidiaries
vendors
cloud providers
then each system owner must authorize testing.
Authority Requirements
Requirement
Details
Minimum authority
C-suite executive or written delegation
Recommended
CISO + CTO co-signature
Additional Signatures by System Type
System Type
Additional Signatory
Why
Customer data systems
Legal counsel
Data liability
Payment systems
CFO or legal
Financial risk
Health data systems
Privacy officer
HIPAA compliance
Government systems
Contracting officer
Contractual obligation
What the Signature Represents
A valid signature confirms:
authorization for testing activities
authority over listed systems
acceptance of risk and indemnification
agreement to defined scope
What is NOT Valid Authorization
IT manager approval alone
verbal approval
email without formal letter
implied approval via purchase order
If the signer does not have authority, the authorization does not hold.
2. The Penetration Testing Firm
The authorization must clearly define who is allowed to test. Not just the company, the individuals.
Required Information
Requirement
Details
Legal entity name
Full company name
Authorized individuals
All testers explicitly listed
Engagement lead
Primary contact
Insurance
Proof of E&O coverage
Data handling
NDA / confidentiality terms
Why Individual Naming Matters
law enforcement verification
scope accountability
cloud provider compliance
subcontractor control
Example Format
“The following individuals are authorized to conduct testing:
[Full Name], [Role] — [Employer]
[Full Name], [Role] — [Employer]
Additional individuals require written approval before testing.”
3. Third-Party System Operators (Most Missed)
You cannot authorize testing on systems you don’t control. Modern infrastructure includes:
cloud providers
SaaS platforms
hosting providers
CDNs
Each may require separate authorization or notification.
Cloud Providers
Provider
Requirement
AWS
No pre-approval (most cases), but restrictions apply
GCP
No pre-approval, notify if impact risk
Azure
Rules of engagement + possible notification
SaaS Platforms
If testing involves SaaS (e.g., Salesforce, Workday):
→ Vendor authorization is required
Hosting & Colocation
data centers may require notification
physical testing requires explicit approval
CDN Providers
Testing through CDNs can trigger protection systems.
Cloudflare, Fastly, Akamai may require notification
ISPs
Testing should stop at your infrastructure boundary. Beyond that → separate authorization required.
That said, authorization must align with:
system ownership
legal authority
third-party involvement
Miss any of these, and the authorization breaks.
Even with the right parties involved, authorization is incomplete without clear scope definition. And this is where most engagements fail.
Part 3: The Technical Scope Definition: The Most Consequential Section
Scope ambiguity is the single most common source of disputes between penetration testing firms and their clients. "Test our web application" seems unambiguous until the tester begins testing APIs that serve the mobile application, which the client considers "out of scope." "Test our production environment" seems clear until the tester discovers that production shares a database with the HR system, which the client absolutely did not want tested.
Every ambiguity in scope definition will be resolved at the moment of maximum inconvenience — when a tester has found a vulnerability in a system that may or may not be in scope, or when a client is trying to explain to their board why the penetration testing firm accessed a system they thought was excluded.
Explicit scope definition requires three components:
In-scope enumeration: Everything that IS authorized for testing
Out-of-scope exclusion: Everything that is explicitly NOT authorized, even if adjacent to in-scope systems
Permitted techniques: What testing methods are authorized (and which require special approval)
In-Scope System Enumeration
For each system in scope, specify:
System identifier (IP, hostname, URL, ARN, etc.)
System type (web application, API, infrastructure, database, mobile, etc.)
Ownership confirmation (you own/control this system)
Environment (production, staging, QA, each must be listed if included)
Third-party notification status (cloud provider notified? Y/N)
Special handling (any systems with extra care requirements)
Example in-scope specification:
NETWORK SCOPE:
Production infrastructure:
IP Range: 52.14.88.0/24 (AWS us-east-1, owned by Organization)
IP Range: 52.14.89.0/24 (AWS us-east-1, owned by Organization)
Specific IPs excluded from range: 52.14.88.155 (third-party monitoring agent — see exclusions)
Development infrastructure:
IP Range: 10.0.0.0/16 (internal VPC, accessible via VPN)
APPLICATION SCOPE:
Primary web application:
URLs: <https://app.company.com/*><https://api.company.com/*><https://admin.company.com/*>
Environment: Production
Authentication: Test account credentials provided in Section 4
Mobile applications:
iOS: com.company.app (current App Store version)
Android: com.company.app (current Play Store version)
API backend: <https://mobile-api.company.com/v2/*>
Internal applications (accessible via VPN):
<https://internal.company.com/*><https://jira.company.internal/*>
NETWORK SCOPE:
Production infrastructure:
IP Range: 52.14.88.0/24 (AWS us-east-1, owned by Organization)
IP Range: 52.14.89.0/24 (AWS us-east-1, owned by Organization)
Specific IPs excluded from range: 52.14.88.155 (third-party monitoring agent — see exclusions)
Development infrastructure:
IP Range: 10.0.0.0/16 (internal VPC, accessible via VPN)
APPLICATION SCOPE:
Primary web application:
URLs: <https://app.company.com/*><https://api.company.com/*><https://admin.company.com/*>
Environment: Production
Authentication: Test account credentials provided in Section 4
Mobile applications:
iOS: com.company.app (current App Store version)
Android: com.company.app (current Play Store version)
API backend: <https://mobile-api.company.com/v2/*>
Internal applications (accessible via VPN):
<https://internal.company.com/*><https://jira.company.internal/*>
NETWORK SCOPE:
Production infrastructure:
IP Range: 52.14.88.0/24 (AWS us-east-1, owned by Organization)
IP Range: 52.14.89.0/24 (AWS us-east-1, owned by Organization)
Specific IPs excluded from range: 52.14.88.155 (third-party monitoring agent — see exclusions)
Development infrastructure:
IP Range: 10.0.0.0/16 (internal VPC, accessible via VPN)
APPLICATION SCOPE:
Primary web application:
URLs: <https://app.company.com/*><https://api.company.com/*><https://admin.company.com/*>
Environment: Production
Authentication: Test account credentials provided in Section 4
Mobile applications:
iOS: com.company.app (current App Store version)
Android: com.company.app (current Play Store version)
API backend: <https://mobile-api.company.com/v2/*>
Internal applications (accessible via VPN):
<https://internal.company.com/*><https://jira.company.internal/*>
Out-of-Scope Exclusions
The following systems are explicitly EXCLUDED from testing and must NOT be accessed, probed, or tested in any way, even if discovered during testing:
SYSTEMS EXCLUSIONS:
Third-party production systems:
Stripe API (api.stripe.com): Stripe is not a party to this agreement
Salesforce (company.salesforce.com): third-party SaaS not authorized
Workday HR system (company.myworkday.com): HR data excluded
Any system whose IP or hostname is not in the in-scope list
Shared infrastructure:
52.14.88.155: third-party monitoring vendor agent
52.14.88.200: customer-managed server (not owned by Organization)
Specific data categories:
Live customer PII: access is limited to test accounts only
Financial transaction records: use test account transactions only
Employee personal data: HR systems are excluded
Network infrastructure beyond the specified scope:
ISP infrastructure upstream of the Organization's border router
BGP routing infrastructure
DNS resolvers not operated by the Organization
TECHNIQUE EXCLUSIONS (require separate written approval):
Denial of Service (DoS) attacks of any kind
Social engineering of employees (email phishing, vishing)
Testing that would require modification of production data
Testing that involves downloading more than [DEFINED AMOUNT] of customer records
TIMING EXCLUSIONS:
No testing between 18:00 UTC Friday and 06:00 UTC Monday (maintenance windows)
No testing during the following business-critical periods: [List any planned high-traffic events, product launches, fiscal year-end]
WHAT HAPPENS IF TESTER DISCOVERS OUT-OF-SCOPE SYSTEM:
If the tester accidentally accesses or discovers an out-of-scope system:
Immediately cease interaction with the system
Notify the Engagement Contact within 4 hours
Document what was accessed and how
The tester shall not probe, exploit, or analyze the out-of-scope system further
The incident will be documented in the final report
Permitted Testing Techniques Matrix
The table below defines which techniques are allowed, restricted, or prohibited during the engagement.
Category
Technique
Status
Notes
Reconnaissance
Passive OSINT
Permitted
No target interaction
Active port scanning
Permitted
Normal intensity only
Service enumeration
Permitted
Directory / path enumeration
Permitted
Subdomain enumeration
Permitted
Authentication
Login brute force
Limited
Max 10 attempts per account
Password spraying
Limited
Max 3 passwords per account
Credential stuffing
Notify first
Contact engagement lead
MFA bypass testing
Permitted
Session token analysis
Permitted
Exploitation
Exploitation of findings
Permitted
In-scope systems only
Privilege escalation
Permitted
Document all steps
Lateral movement
Notify first
Pre-approval required
Data exfiltration (simulated)
Limited
Test data only
Denial of Service
Any DoS technique
Prohibited
Requires separate agreement
Rate limit testing
Limited
Low intensity only
Resource exhaustion
Prohibited
Social Engineering
Employee phishing
Out of scope
Not included
Phone / vishing
Out of scope
Not included
Injection
SQL injection testing
Permitted
Use test data
Command injection
Permitted
Limited to proof-of-concept
Code injection
Permitted
No persistent modification
Persistence
Backdoor installation
Prohibited
Even temporary
User account creation
Prohibited
Use provided test accounts
Config file modification
Prohibited
Data modification
Prohibited
Read-only exploitation only
Key Interpretation
Permitted → No additional approval required
Limited → Allowed with strict constraints
Notify first → Requires explicit approval before execution
Prohibited / Out of scope → Not allowed under any circumstance
Part 4: Cloud Provider Authorization Requirements
AWS Penetration Testing Policy (Current as of 2026)
Amazon Web Services maintains a penetration testing policy that all customers must comply with. The key points:
AWS Penetration Testing Requirements:
WHAT DOES NOT REQUIRE PRIOR APPROVAL:
EC2 instances and RDS instances you own
API Gateway endpoints
Lambda functions
ECS/EKS workloads
Elastic Beanstalk environments
CloudFront distributions
Aurora databases
S3 buckets (your own)
AWS WAF testing
WHAT IS ALWAYS PROHIBITED (regardless of authorization):
DNS zone walking (Route53)
Denial of service attacks against any AWS infrastructure
Port flooding
Protocol flooding
Request flooding (unless pre-approved)
Simulated DDoS attacks
WHAT REQUIRES PRIOR APPROVAL (submit via AWS form):
Simulated DDoS testing
Load testing that might affect AWS infrastructure
Testing AWS-managed services in ways that affect other customers
CURRENT POLICY URL:
<https://aws.amazon.com/security/penetration-testing/>
CURRENT POLICY URL:
<https://aws.amazon.com/security/penetration-testing/>
CURRENT POLICY URL:
<https://aws.amazon.com/security/penetration-testing/>
AUTHORIZATION LETTER LANGUAGE FOR AWS:
"Testing is authorized against AWS Account [ID] owned and operated by [Organization Name]. Testing complies with the AWS Penetration Testing
Customer Service Policy in effect at the time of testing. Prohibited activities under the AWS policy are excluded from this engagement."
GCP Penetration Testing Policy
CURRENT POLICY POSITION:
Google does not require prior approval for penetration testing of GCP resources you own. However:
REQUIREMENTS:
Testing must be limited to your own GCP resources
Testing that could affect other GCP customers is prohibited
Notify Google if you discover vulnerabilities in GCP itself (via Google's Vulnerability Reward Program)
Do not test Google's underlying infrastructure
PROHIBITED:
Testing that impacts shared GCP infrastructure
DoS/DDoS testing of any Google services
Testing systems you don't own that happen to be on GCP
GCP CURRENT POLICY:
<https://cloud.google.com/terms/aup>
GCP CURRENT POLICY:
<https://cloud.google.com/terms/aup>
GCP CURRENT POLICY:
<https://cloud.google.com/terms/aup>
AUTHORIZATION LETTER LANGUAGE FOR GCP:
"Testing is authorized against GCP Project(s) [Project-ID(s)] under billing account [Account-ID] owned by [Organization Name]. Testing complies with Google Cloud's Acceptable Use Policy and is limited to resources owned by [Organization Name]."
Microsoft Azure Penetration Testing Policy
CURRENT REQUIREMENT:
Microsoft requires customers to notify before conducting penetration tests against Azure resources using the Penetration Testing Rules of Engagement (PTROE) form.
WHERE TO NOTIFY:
<https://portal.msrc.microsoft.com/en-us/engage/pentest>
WHERE TO NOTIFY:
<https://portal.msrc.microsoft.com/en-us/engage/pentest>
WHERE TO NOTIFY:
<https://portal.msrc.microsoft.com/en-us/engage/pentest>
TIMELINE:
Submit notification form at least 1-2 business days before testing begins
Keep testing within the approved timeline
Notify Microsoft if testing extends beyond approved window
WHAT REQUIRES NOTIFICATION:
Any penetration testing against Azure-hosted resources
Load testing that might impact Azure infrastructure
Security assessment of Azure Marketplace solutions you use
WHAT IS PROHIBITED:
Testing Azure infrastructure itself (only your resources)
Testing is authorized against Azure Subscription(s) [Subscription-ID(s)] owned by [Organization Name]. Microsoft has been notified via the Penetration Testing Rules of Engagement form (Notification Reference: [REF-NUMBER], submitted [DATE]). Testing complies with Microsoft's Penetration Testing Rules of Engagement and is limited to resources owned by [Organization Name]."
The Multi-Cloud Authorization Complexity Matrix
Cloud Provider
Prior Approval Required
Notification Required
Prohibited Activities
Current Policy URL
AWS
No (for most services)
Recommended
DoS, DNS zone walking, Request flooding
aws.amazon.com/security/penetration-testing
GCP
No
Recommended
DoS, cross-customer impact
cloud.google.com/terms/aup
Azure
Via PTROE form
Yes — mandatory
DoS, Azure infrastructure, cross-customer
portal.msrc.microsoft.com
Cloudflare
Contact required
Yes
DDoS simulation, upstream infrastructure
cloudflare.com/responsible-disclosure
Fastly
Contact required
Yes
DDoS, testing Fastly edge infrastructure
N/A contact Fastly directly
Heroku
No (for your apps)
Recommended
Platform infrastructure, other customer apps
devcenter.heroku.com
DigitalOcean
No
Notify if extensive
DoS, cross-customer
digitalocean.com
GitHub
For GitHub.com itself
N/A for repos
GitHub infrastructure
docs.github.com
Part 5: The Emergency Procedures Section: The Most Neglected Provision
Penetration testing involves real exploitation against real systems. Things go wrong:
1. Unintended Service Disruption
What happens: A vulnerability exploit causes unexpected system behavior, service crash, database outage, or resource exhaustion.
Without a procedure:
Unclear who to contact
Tester may continue unknowingly
Client may panic and halt testing
With a procedure:
Defined escalation path
Tester stops the triggering activity immediately
Engagement contact initiates response if required
2. Discovery of an Active Breach
What happens: Tester identifies signs of a real attacker, malware, unauthorized access, or ongoing data exfiltration.
Without a procedure:
Tester unsure whether to stop or continue
Client remains unaware of active compromise
With a procedure:
Immediate escalation
Testing halted in affected systems
Incident response and forensic preservation begin
3. Access to Out-of-Scope Sensitive Data
What happens: A vulnerability exposes data that should not be accessed, PII, financial records, or internal systems.
Without a procedure:
Tester risks violating scope
Client unaware sensitive data was exposed
With a procedure:
Immediate disengagement
Access path documented without further interaction
What happens: Tester is stopped by security or law enforcement during physical testing.
Without a procedure:
Legal exposure
Escalation into a real incident
With a procedure:
Authorization letter presented immediately
24/7 contact validates engagement
6. Third-Party Impact
What happens: Testing affects shared infrastructure or external systems.
Without a procedure:
Responsibility unclear
Potential legal or contractual issues
With a procedure:
Immediate cessation
Stakeholders notified
Incident documented
Why This Matters
Scenario Type
Risk Without Procedure
Outcome With Procedure
Service disruption
Outage, panic
Controlled response
Active breach
Missed attack
Immediate containment
Data exposure
Scope violation
Safe handling
SIEM alert
False escalation
Controlled validation
Physical detention
Legal risk
Immediate clearance
Third-party impact
Liability
Managed response
The Emergency Procedures Specification
This section defines what happens when something goes wrong during testing.
7.1 Emergency Contact Chain
All parties must be reachable throughout the testing window.
Client Emergency Contacts: (Must respond within defined SLA - e.g., 30/60/120 minutes)
Role
Name
Phone
Mobile
Email
Availability
Primary
[Name]
[Number]
[Mobile]
[Email]
24/7
Secondary
[Name]
[Number]
[Mobile]
[Email]
Backup
Testing Firm Contacts:
Role
Name
Phone
Mobile
Email
Engagement Lead
[Name]
[Number]
[Mobile]
[Email]
Technical Lead
[Name]
[Number]
[Mobile]
—
7.2 Safe Word Protocol
A safe word system is used to immediately validate the engagement.
Safe Word:[UNIQUE WORD] (e.g., BLUEKITE)
Used in:
SOC communications
incident validation
law enforcement interactions
Who Knows the Safe Word
[List individuals]
Law Enforcement Script
“This activity is part of an authorized security assessment. The safe word for this engagement is [SAFE WORD]. Please contact [Name] at [Phone] to confirm authorization.”
7.3 Service Disruption Procedure
If testing causes or may cause disruption:
Immediate Response
Stop the triggering activity immediately
Notify client within [15 minutes]
Client Decision: Client determines next step:
continue testing
temporarily pause
terminate engagement
Follow-Up
document cause + technique
log client decision
trigger incident response if needed
Liability Note
in-scope actions → governed by agreement
prohibited actions → tester responsibility
7.4 Discovery of Active Third-Party Compromise
If evidence of a real attacker is found:
Immediate Action
stop testing in affected area
notify client within 4 hours
Testing Team Responsibilities
do not modify systems
preserve evidence
document findings
maintain logs
provide written summary
Strictly Not Allowed
contacting law enforcement
notifying third parties
public disclosure
continuing testing without approval
Key Principle: The client owns incident response decisions.
7.5 Accidental Access to Out-of-Scope Data
If restricted systems or data are accessed:
Immediate Action: stop interaction immediately
Within 4 Hours: Notify Client and provide:
what was accessed
how it happened
what data was seen (description only)
confirmation of disengagement
Tester Obligations:
do not retain or reuse data
delete automatically captured data
confirm deletion in writing
include incident in final report
Client may:
allow alternate testing path
terminate test case
7.6 Physical Security Emergencies (If Applicable)
If tester is detained:
Present physical authorization letter
Provide emergency contact
Client confirms engagement
Notify engagement lead within 1 hour
Required Items for Testers:
physical authorization letter
business card
valid photo ID
That said, emergency procedures are not optional.
They define:
how quickly incidents are contained
how risk is controlled
whether testing remains safe and legal
Without them, a controlled test can become a real incident.
Part 6: Data Handling Provisions: The GDPR Dimension
Penetration testing is inherently data-exposing. To confirm vulnerabilities, testers often interact with live systems that contain real customer data, credentials, financial records, and internal business information. This is not incidental. It is part of how modern vulnerabilities are validated.
Because of this, the authorization letter must clearly define how data is handled during testing. Without explicit controls, testing itself can introduce regulatory risk.
6.1 Data Encountered During Penetration Testing
During a standard engagement, testers may encounter multiple categories of sensitive data as a direct result of valid exploitation paths.
Data Type
Typical Source
User credentials
Authentication flaws and weak access controls
Session tokens
Traffic interception and session analysis
Personal data (PII)
IDOR and injection vulnerabilities
Financial data
Business logic and authorization flaws
API keys and service credentials
JavaScript bundles or repository history
Internal business data
Authorization bypass
Encrypted data
Captured traffic that may be decryptable
Log files with user activity
Path traversal or log access vulnerabilities
The presence of this data is evidence of risk. It is not a resource to be collected or retained.
6.2 GDPR and Data Protection Considerations
If testing involves personal data of EU data subjects, it is considered a data processing activity under GDPR. In this context:
the client remains the data controller
the testing firm operates as a data processor
This introduces specific legal and operational obligations.
Data Processing Agreement (DPA)
A DPA is required when personal data is accessed during testing. It must define:
purpose of processing
duration of access
nature of processing activities
categories of data involved
security safeguards
Data Minimization
Testing must limit access to the minimum data required to confirm a vulnerability. For example, validating exposure with a single record is sufficient. Extracting full datasets is not.
Purpose Limitation
Data accessed during testing may only be used for vulnerability validation. It must not be used for:
internal research
training data
demonstrations
reuse across engagements
Retention Limitation
Client data must not be retained beyond necessity.
default expectation is no retention beyond the engagement
maximum retention window may be defined as [30 / 60 / 90 days]
written confirmation of deletion is required
Data Subject Rights
The client retains responsibility for all data subject rights. The testing firm must ensure that testing activities do not:
interfere with these rights
bypass existing controls
create additional exposure
6.3 Transition to Operational Controls
The principles above must be enforced through explicit, testable rules. The following section defines how data is classified, handled, retained, and protected during the engagement.
Data Handling and Confidentiality
This section translates data protection principles into operational controls that govern the engagement.
Data Classification During Testing
The testing firm shall handle all data encountered during testing according to the following classification model:
Data Category
Handling Requirement
Test account data
May be accessed and analyzed fully
Real user PII
Confirm existence only. Do not copy or reproduce
Payment card data
Confirm existence only. No reproduction
Discovered credentials
Document existence. Rotate upon notification
API keys and secrets
Notify client within 24 hours. Do not retain
Business confidential data
Access only what is necessary. Document usage in report
System credentials
Document access path. Do not store credentials
Source code
May be analyzed. Do not reproduce significant portions
Data Retention and Deletion
The testing firm commits to the following data handling practices.
Testing Artifacts
Includes screenshots, logs, and tool output.
retention period: [90 days after report delivery]
storage: encrypted systems within testing firm infrastructure
access: limited to engagement team members
Final Reports and Supporting Documents
retention period: [3 years for compliance purposes]
storage: encrypted and access-controlled
Client Data Encountered During Testing
retention: none beyond engagement
data must be deleted immediately upon discovery
Exception:
proof-of-concept evidence required for reporting may be retained temporarily
such evidence must be deleted within [30 days of report delivery]
Post-Engagement Requirements
Upon completion of the engagement, the testing firm will:
delete all client data from testing systems
provide written certification of deletion within [14 days]
confirm deletion from backup systems within [30 days]
Reporting and Disclosure
All findings are disclosed exclusively to the client through secure channels.
Approved Communication Methods
encrypted email
secure client portal
encrypted file transfer
in-person delivery where required
The Testing Firm Will Not
The testing firm agrees not to:
publish or discuss findings publicly without written approval
include findings in case studies without explicit consent
disclose the client as a customer without approval
reuse findings without anonymization
share or transfer client data to third parties
Bug Bounty Programs
Findings from this engagement will not be submitted to bug bounty programs by the testing firm. The client retains full discretion to disclose findings independently.
Non-Disclosure Obligations
The testing firm agrees to maintain confidentiality of:
the existence of the engagement
all findings and vulnerabilities
all client data accessed
system architecture and configurations
business processes observed during testing
Duration
Confidentiality obligations remain in effect for: [2 years] from the engagement completion date
Exceptions
Disclosure is permitted only if required by law or court order. Where legally allowed, the client will be notified in advance.
That said, data handling in penetration testing is not a secondary concern. It is a control layer that determines whether testing remains compliant, secure, and legally defensible. A well-defined data handling section ensures that vulnerabilities are identified without introducing new risk.
Part 7: Complete Authorization Letter Template
This is the complete template ready for adaptation. Every section from Parts 1–6 synthesized into a single coherent document:
PENETRATION TESTING AUTHORIZATION LETTER
AND RULES OF ENGAGEMENT
ENGAGEMENT REFERENCE: [COMPANY-YEAR-NUMBER]
VERSION: 1.0
EFFECTIVE DATE: [START DATE]
EXPIRATION DATE: [END DATE]
═══════════════════════════════════════════════════════════════
SECTION 1: PARTIES
═══════════════════════════════════════════════════════════════
AUTHORIZING ORGANIZATION:
Legal Name: [Full legal name of the organization]
Business Name: [DBA if applicable]
Registered Address: [Address]
Authorized Representative:
Name: [Full Name]
Title: [C-Suite Title — CISO, CTO, CEO, etc.]
Email: [Corporate email]
Phone: [Direct phone number]
Secondary Authorization (Co-Signer if applicable):
Name: [Full Name]
Title: [Title]
PENETRATION TESTING FIRM:
Legal Name: [Full legal name of testing firm]
Business Address: [Address]
Engagement Lead:
Name: [Full Name]
Title: [Engagement Lead / Senior Security Engineer]
Email: [Corporate email]
Phone: [Direct phone number]
AUTHORIZED TESTING PERSONNEL:
The following individuals are exclusively authorized to conduct
testing activities under this authorization:
1. [Full Legal Name] — [Role] — [Employer Name]
2. [Full Legal Name] — [Role] — [Employer Name]
3. [Full Legal Name] — [Role] — [Employer Name]
Any individual not listed above who conducts testing activities
without written amendment to this authorization does so without
authorization and may face legal consequences.
═══════════════════════════════════════════════════════════════
SECTION 2: ENGAGEMENT PURPOSE AND AUTHORIZATION
═══════════════════════════════════════════════════════════════
2.1 Purpose
The Authorizing Organization engages the Penetration Testing Firm
to conduct a [TYPE: Black Box / Gray Box / White Box / Red Team]
penetration testing engagement for the purpose of identifying
security vulnerabilities in the systems listed in Section 3.
2.2 Authorization
The Authorizing Organization hereby explicitly authorizes the
Penetration Testing Firm and the authorized personnel listed in
Section 1 to:
a. Probe, scan, and enumerate the systems listed in Section 3
b. Attempt to identify security vulnerabilities in those systems
c. Attempt to exploit identified vulnerabilities using the techniques
permitted in Section 6, to demonstrate confirmed exploitability
d. Access data in in-scope systems to the minimum extent necessary
to confirm vulnerability existence and impact
e. Document all testing activities and findings for delivery to
the Authorizing Organization
This authorization explicitly DOES NOT permit:
a. Access to systems not listed in Section 3
b. Techniques explicitly prohibited in Section 6
c. Retention or use of client data beyond engagement purposes
d. Disclosure of findings to third parties without written approval
2.3 Legal Acknowledgment
The Authorizing Organization confirms that it owns, controls, or has
obtained separate authorization for all systems listed in Section 3,
and has the legal authority to authorize security testing of those systems.
The Penetration Testing Firm confirms that all testing activities will
comply with applicable laws, including but not limited to the Computer
Fraud and Abuse Act (18 U.S.C. § 1030), and that this authorization
letter constitutes explicit authorization for all activities within its scope.
═══════════════════════════════════════════════════════════════
SECTION 3: IN-SCOPE SYSTEMS
═══════════════════════════════════════════════════════════════
3.1 Network Scope
[List all in-scope IP ranges, hostnames, and domains]
3.2 Application Scope
[List all in-scope web applications, APIs, mobile applications]
3.3 Cloud Infrastructure Scope
[List cloud accounts, project IDs, subscription IDs, and services]
3.4 Code Repository Scope (White Box only)
[List GitHub/GitLab organizations, repositories]
3.5 Physical Scope (if applicable)
[List physical locations if physical testing is in scope]
═══════════════════════════════════════════════════════════════
SECTION 4: OUT-OF-SCOPE EXCLUSIONS
═══════════════════════════════════════════════════════════════
[List all explicitly excluded systems, data categories, techniques, and timing]
═══════════════════════════════════════════════════════════════
SECTION 5: CLOUD PROVIDER AUTHORIZATION
═══════════════════════════════════════════════════════════════
5.1 AWS Authorization
[Account IDs, compliance with AWS Penetration Testing policy confirmation]
5.2 Azure Authorization
[Subscription IDs, PTROE form reference number and submission date]
5.3 GCP Authorization
[Project IDs, compliance with GCP AUP confirmation]
5.4 Other Cloud/Hosting Providers
[Any additional provider notifications and status]
═══════════════════════════════════════════════════════════════
SECTION 6: PERMITTED TECHNIQUES
═══════════════════════════════════════════════════════════════
[Full techniques matrix from Part 3]
═══════════════════════════════════════════════════════════════
SECTION 7: TESTING WINDOW
═══════════════════════════════════════════════════════════════
7.1 Active Testing Window
Start Date/Time: [DATE] at [TIME][TIMEZONE]
End Date/Time: [DATE] at [TIME][TIMEZONE]
Total Duration: [X] business days / [X] calendar days
7.2 Time Restrictions
Testing hours (if applicable): [TIMES][TIMEZONE]
Blackout periods: [DATES/TIMES when testing must stop]
After-hours testing: [PERMITTED/NOT PERMITTED/REQUIRES APPROVAL]
7.3 Extension Procedure
Extensions to the testing window require written approval from the
Authorized Representative listed in Section 1. Extensions requested
less than 24 hours before expiration must be approved by phone with
written confirmation.
═══════════════════════════════════════════════════════════════
SECTION 8: EMERGENCY PROCEDURES
═══════════════════════════════════════════════════════════════
[Full emergency procedures from Part 5]
═══════════════════════════════════════════════════════════════
SECTION 9: DATA HANDLING
═══════════════════════════════════════════════════════════════
[Full data handling provisions from Part 6]
═══════════════════════════════════════════════════════════════
SECTION 10: DELIVERABLES
═══════════════════════════════════════════════════════════════
10.1 Report Contents
The Penetration Testing Firm will deliver a final report containing:
a. Executive summary (1-2 pages, non-technical)
b. Methodology description
c. All findings with:
- Unique finding ID
- CVSS 4.0 score and vector
- Severity classification
- Technical description
- Proof of concept (with screenshots/evidence)
- Business impact assessment
- Root cause analysis
- Specific remediation guidance
- Code-level fix where applicable (white box engagements)
d. Findings prioritized by CVSS score
e. Exploit chain analysis (where applicable)
f. Summary of out-of-scope findings if any occurred
g. Appendices: tool output, raw scan data (optional)
10.2 Report Delivery
Format: [PDF / Encrypted PDF / Secure portal]
Timeline: Within [5/7/10] business days of testing window close
Recipient: [Named individuals who receive the report]
Delivery method: [Encrypted email / Secure upload / In-person]
10.3 Interim Communication
Critical findings (CVSS 9.0+):
Notification within: [4 hours / 24 hours] of confirmation
Method: Phone + encrypted email
High findings (CVSS 7.0-8.9):
Notification within: [24 hours / 48 hours] of confirmation
Method: Encrypted email
═══════════════════════════════════════════════════════════════
SECTION 11: INDEMNIFICATION AND LIABILITY
═══════════════════════════════════════════════════════════════
11.1 Client Indemnification
The Authorizing Organization agrees to indemnify, defend, and hold
harmless the Penetration Testing Firm and its authorized personnel
from any claims, damages, or proceedings arising from:
a. Testing activities within the authorized scope using permitted techniques
b. Third-party claims arising from the discovery of vulnerabilities
c. Law enforcement inquiries related to authorized testing activities
11.2 Tester Responsibility
The Penetration Testing Firm is responsible for:
a. Testing activities outside the authorized scope
b. Use of explicitly prohibited techniques
c. Negligent damage to production systems
d. Unauthorized disclosure of findings
e. Data retention beyond permitted periods
11.3 Limitation of Liability
The Penetration Testing Firm's total liability for any claim arising
from this engagement shall not exceed [the engagement fee / $X / the
amount of the firm's applicable professional liability insurance].
Neither party is liable for indirect, consequential, or punitive
damages regardless of the basis of the claim.
═══════════════════════════════════════════════════════════════
SECTION 12: GOVERNING LAW
═══════════════════════════════════════════════════════════════
This authorization letter and any disputes arising from or related
to the engagement described herein shall be governed by the laws of
[STATE/COUNTRY], without regard to conflicts of law provisions.
═══════════════════════════════════════════════════════════════
SECTION 13: SIGNATURES
═══════════════════════════════════════════════════════════════
AUTHORIZING ORGANIZATION:
Signature: _______________________ Date: ___________
Printed Name: _______________________
Title: _______________________
[Co-signer if required:]
PENETRATION TESTING AUTHORIZATION LETTER
AND RULES OF ENGAGEMENT
ENGAGEMENT REFERENCE: [COMPANY-YEAR-NUMBER]
VERSION: 1.0
EFFECTIVE DATE: [START DATE]
EXPIRATION DATE: [END DATE]
═══════════════════════════════════════════════════════════════
SECTION 1: PARTIES
═══════════════════════════════════════════════════════════════
AUTHORIZING ORGANIZATION:
Legal Name: [Full legal name of the organization]
Business Name: [DBA if applicable]
Registered Address: [Address]
Authorized Representative:
Name: [Full Name]
Title: [C-Suite Title — CISO, CTO, CEO, etc.]
Email: [Corporate email]
Phone: [Direct phone number]
Secondary Authorization (Co-Signer if applicable):
Name: [Full Name]
Title: [Title]
PENETRATION TESTING FIRM:
Legal Name: [Full legal name of testing firm]
Business Address: [Address]
Engagement Lead:
Name: [Full Name]
Title: [Engagement Lead / Senior Security Engineer]
Email: [Corporate email]
Phone: [Direct phone number]
AUTHORIZED TESTING PERSONNEL:
The following individuals are exclusively authorized to conduct
testing activities under this authorization:
1. [Full Legal Name] — [Role] — [Employer Name]
2. [Full Legal Name] — [Role] — [Employer Name]
3. [Full Legal Name] — [Role] — [Employer Name]
Any individual not listed above who conducts testing activities
without written amendment to this authorization does so without
authorization and may face legal consequences.
═══════════════════════════════════════════════════════════════
SECTION 2: ENGAGEMENT PURPOSE AND AUTHORIZATION
═══════════════════════════════════════════════════════════════
2.1 Purpose
The Authorizing Organization engages the Penetration Testing Firm
to conduct a [TYPE: Black Box / Gray Box / White Box / Red Team]
penetration testing engagement for the purpose of identifying
security vulnerabilities in the systems listed in Section 3.
2.2 Authorization
The Authorizing Organization hereby explicitly authorizes the
Penetration Testing Firm and the authorized personnel listed in
Section 1 to:
a. Probe, scan, and enumerate the systems listed in Section 3
b. Attempt to identify security vulnerabilities in those systems
c. Attempt to exploit identified vulnerabilities using the techniques
permitted in Section 6, to demonstrate confirmed exploitability
d. Access data in in-scope systems to the minimum extent necessary
to confirm vulnerability existence and impact
e. Document all testing activities and findings for delivery to
the Authorizing Organization
This authorization explicitly DOES NOT permit:
a. Access to systems not listed in Section 3
b. Techniques explicitly prohibited in Section 6
c. Retention or use of client data beyond engagement purposes
d. Disclosure of findings to third parties without written approval
2.3 Legal Acknowledgment
The Authorizing Organization confirms that it owns, controls, or has
obtained separate authorization for all systems listed in Section 3,
and has the legal authority to authorize security testing of those systems.
The Penetration Testing Firm confirms that all testing activities will
comply with applicable laws, including but not limited to the Computer
Fraud and Abuse Act (18 U.S.C. § 1030), and that this authorization
letter constitutes explicit authorization for all activities within its scope.
═══════════════════════════════════════════════════════════════
SECTION 3: IN-SCOPE SYSTEMS
═══════════════════════════════════════════════════════════════
3.1 Network Scope
[List all in-scope IP ranges, hostnames, and domains]
3.2 Application Scope
[List all in-scope web applications, APIs, mobile applications]
3.3 Cloud Infrastructure Scope
[List cloud accounts, project IDs, subscription IDs, and services]
3.4 Code Repository Scope (White Box only)
[List GitHub/GitLab organizations, repositories]
3.5 Physical Scope (if applicable)
[List physical locations if physical testing is in scope]
═══════════════════════════════════════════════════════════════
SECTION 4: OUT-OF-SCOPE EXCLUSIONS
═══════════════════════════════════════════════════════════════
[List all explicitly excluded systems, data categories, techniques, and timing]
═══════════════════════════════════════════════════════════════
SECTION 5: CLOUD PROVIDER AUTHORIZATION
═══════════════════════════════════════════════════════════════
5.1 AWS Authorization
[Account IDs, compliance with AWS Penetration Testing policy confirmation]
5.2 Azure Authorization
[Subscription IDs, PTROE form reference number and submission date]
5.3 GCP Authorization
[Project IDs, compliance with GCP AUP confirmation]
5.4 Other Cloud/Hosting Providers
[Any additional provider notifications and status]
═══════════════════════════════════════════════════════════════
SECTION 6: PERMITTED TECHNIQUES
═══════════════════════════════════════════════════════════════
[Full techniques matrix from Part 3]
═══════════════════════════════════════════════════════════════
SECTION 7: TESTING WINDOW
═══════════════════════════════════════════════════════════════
7.1 Active Testing Window
Start Date/Time: [DATE] at [TIME][TIMEZONE]
End Date/Time: [DATE] at [TIME][TIMEZONE]
Total Duration: [X] business days / [X] calendar days
7.2 Time Restrictions
Testing hours (if applicable): [TIMES][TIMEZONE]
Blackout periods: [DATES/TIMES when testing must stop]
After-hours testing: [PERMITTED/NOT PERMITTED/REQUIRES APPROVAL]
7.3 Extension Procedure
Extensions to the testing window require written approval from the
Authorized Representative listed in Section 1. Extensions requested
less than 24 hours before expiration must be approved by phone with
written confirmation.
═══════════════════════════════════════════════════════════════
SECTION 8: EMERGENCY PROCEDURES
═══════════════════════════════════════════════════════════════
[Full emergency procedures from Part 5]
═══════════════════════════════════════════════════════════════
SECTION 9: DATA HANDLING
═══════════════════════════════════════════════════════════════
[Full data handling provisions from Part 6]
═══════════════════════════════════════════════════════════════
SECTION 10: DELIVERABLES
═══════════════════════════════════════════════════════════════
10.1 Report Contents
The Penetration Testing Firm will deliver a final report containing:
a. Executive summary (1-2 pages, non-technical)
b. Methodology description
c. All findings with:
- Unique finding ID
- CVSS 4.0 score and vector
- Severity classification
- Technical description
- Proof of concept (with screenshots/evidence)
- Business impact assessment
- Root cause analysis
- Specific remediation guidance
- Code-level fix where applicable (white box engagements)
d. Findings prioritized by CVSS score
e. Exploit chain analysis (where applicable)
f. Summary of out-of-scope findings if any occurred
g. Appendices: tool output, raw scan data (optional)
10.2 Report Delivery
Format: [PDF / Encrypted PDF / Secure portal]
Timeline: Within [5/7/10] business days of testing window close
Recipient: [Named individuals who receive the report]
Delivery method: [Encrypted email / Secure upload / In-person]
10.3 Interim Communication
Critical findings (CVSS 9.0+):
Notification within: [4 hours / 24 hours] of confirmation
Method: Phone + encrypted email
High findings (CVSS 7.0-8.9):
Notification within: [24 hours / 48 hours] of confirmation
Method: Encrypted email
═══════════════════════════════════════════════════════════════
SECTION 11: INDEMNIFICATION AND LIABILITY
═══════════════════════════════════════════════════════════════
11.1 Client Indemnification
The Authorizing Organization agrees to indemnify, defend, and hold
harmless the Penetration Testing Firm and its authorized personnel
from any claims, damages, or proceedings arising from:
a. Testing activities within the authorized scope using permitted techniques
b. Third-party claims arising from the discovery of vulnerabilities
c. Law enforcement inquiries related to authorized testing activities
11.2 Tester Responsibility
The Penetration Testing Firm is responsible for:
a. Testing activities outside the authorized scope
b. Use of explicitly prohibited techniques
c. Negligent damage to production systems
d. Unauthorized disclosure of findings
e. Data retention beyond permitted periods
11.3 Limitation of Liability
The Penetration Testing Firm's total liability for any claim arising
from this engagement shall not exceed [the engagement fee / $X / the
amount of the firm's applicable professional liability insurance].
Neither party is liable for indirect, consequential, or punitive
damages regardless of the basis of the claim.
═══════════════════════════════════════════════════════════════
SECTION 12: GOVERNING LAW
═══════════════════════════════════════════════════════════════
This authorization letter and any disputes arising from or related
to the engagement described herein shall be governed by the laws of
[STATE/COUNTRY], without regard to conflicts of law provisions.
═══════════════════════════════════════════════════════════════
SECTION 13: SIGNATURES
═══════════════════════════════════════════════════════════════
AUTHORIZING ORGANIZATION:
Signature: _______________________ Date: ___________
Printed Name: _______________________
Title: _______________________
[Co-signer if required:]
PENETRATION TESTING AUTHORIZATION LETTER
AND RULES OF ENGAGEMENT
ENGAGEMENT REFERENCE: [COMPANY-YEAR-NUMBER]
VERSION: 1.0
EFFECTIVE DATE: [START DATE]
EXPIRATION DATE: [END DATE]
═══════════════════════════════════════════════════════════════
SECTION 1: PARTIES
═══════════════════════════════════════════════════════════════
AUTHORIZING ORGANIZATION:
Legal Name: [Full legal name of the organization]
Business Name: [DBA if applicable]
Registered Address: [Address]
Authorized Representative:
Name: [Full Name]
Title: [C-Suite Title — CISO, CTO, CEO, etc.]
Email: [Corporate email]
Phone: [Direct phone number]
Secondary Authorization (Co-Signer if applicable):
Name: [Full Name]
Title: [Title]
PENETRATION TESTING FIRM:
Legal Name: [Full legal name of testing firm]
Business Address: [Address]
Engagement Lead:
Name: [Full Name]
Title: [Engagement Lead / Senior Security Engineer]
Email: [Corporate email]
Phone: [Direct phone number]
AUTHORIZED TESTING PERSONNEL:
The following individuals are exclusively authorized to conduct
testing activities under this authorization:
1. [Full Legal Name] — [Role] — [Employer Name]
2. [Full Legal Name] — [Role] — [Employer Name]
3. [Full Legal Name] — [Role] — [Employer Name]
Any individual not listed above who conducts testing activities
without written amendment to this authorization does so without
authorization and may face legal consequences.
═══════════════════════════════════════════════════════════════
SECTION 2: ENGAGEMENT PURPOSE AND AUTHORIZATION
═══════════════════════════════════════════════════════════════
2.1 Purpose
The Authorizing Organization engages the Penetration Testing Firm
to conduct a [TYPE: Black Box / Gray Box / White Box / Red Team]
penetration testing engagement for the purpose of identifying
security vulnerabilities in the systems listed in Section 3.
2.2 Authorization
The Authorizing Organization hereby explicitly authorizes the
Penetration Testing Firm and the authorized personnel listed in
Section 1 to:
a. Probe, scan, and enumerate the systems listed in Section 3
b. Attempt to identify security vulnerabilities in those systems
c. Attempt to exploit identified vulnerabilities using the techniques
permitted in Section 6, to demonstrate confirmed exploitability
d. Access data in in-scope systems to the minimum extent necessary
to confirm vulnerability existence and impact
e. Document all testing activities and findings for delivery to
the Authorizing Organization
This authorization explicitly DOES NOT permit:
a. Access to systems not listed in Section 3
b. Techniques explicitly prohibited in Section 6
c. Retention or use of client data beyond engagement purposes
d. Disclosure of findings to third parties without written approval
2.3 Legal Acknowledgment
The Authorizing Organization confirms that it owns, controls, or has
obtained separate authorization for all systems listed in Section 3,
and has the legal authority to authorize security testing of those systems.
The Penetration Testing Firm confirms that all testing activities will
comply with applicable laws, including but not limited to the Computer
Fraud and Abuse Act (18 U.S.C. § 1030), and that this authorization
letter constitutes explicit authorization for all activities within its scope.
═══════════════════════════════════════════════════════════════
SECTION 3: IN-SCOPE SYSTEMS
═══════════════════════════════════════════════════════════════
3.1 Network Scope
[List all in-scope IP ranges, hostnames, and domains]
3.2 Application Scope
[List all in-scope web applications, APIs, mobile applications]
3.3 Cloud Infrastructure Scope
[List cloud accounts, project IDs, subscription IDs, and services]
3.4 Code Repository Scope (White Box only)
[List GitHub/GitLab organizations, repositories]
3.5 Physical Scope (if applicable)
[List physical locations if physical testing is in scope]
═══════════════════════════════════════════════════════════════
SECTION 4: OUT-OF-SCOPE EXCLUSIONS
═══════════════════════════════════════════════════════════════
[List all explicitly excluded systems, data categories, techniques, and timing]
═══════════════════════════════════════════════════════════════
SECTION 5: CLOUD PROVIDER AUTHORIZATION
═══════════════════════════════════════════════════════════════
5.1 AWS Authorization
[Account IDs, compliance with AWS Penetration Testing policy confirmation]
5.2 Azure Authorization
[Subscription IDs, PTROE form reference number and submission date]
5.3 GCP Authorization
[Project IDs, compliance with GCP AUP confirmation]
5.4 Other Cloud/Hosting Providers
[Any additional provider notifications and status]
═══════════════════════════════════════════════════════════════
SECTION 6: PERMITTED TECHNIQUES
═══════════════════════════════════════════════════════════════
[Full techniques matrix from Part 3]
═══════════════════════════════════════════════════════════════
SECTION 7: TESTING WINDOW
═══════════════════════════════════════════════════════════════
7.1 Active Testing Window
Start Date/Time: [DATE] at [TIME][TIMEZONE]
End Date/Time: [DATE] at [TIME][TIMEZONE]
Total Duration: [X] business days / [X] calendar days
7.2 Time Restrictions
Testing hours (if applicable): [TIMES][TIMEZONE]
Blackout periods: [DATES/TIMES when testing must stop]
After-hours testing: [PERMITTED/NOT PERMITTED/REQUIRES APPROVAL]
7.3 Extension Procedure
Extensions to the testing window require written approval from the
Authorized Representative listed in Section 1. Extensions requested
less than 24 hours before expiration must be approved by phone with
written confirmation.
═══════════════════════════════════════════════════════════════
SECTION 8: EMERGENCY PROCEDURES
═══════════════════════════════════════════════════════════════
[Full emergency procedures from Part 5]
═══════════════════════════════════════════════════════════════
SECTION 9: DATA HANDLING
═══════════════════════════════════════════════════════════════
[Full data handling provisions from Part 6]
═══════════════════════════════════════════════════════════════
SECTION 10: DELIVERABLES
═══════════════════════════════════════════════════════════════
10.1 Report Contents
The Penetration Testing Firm will deliver a final report containing:
a. Executive summary (1-2 pages, non-technical)
b. Methodology description
c. All findings with:
- Unique finding ID
- CVSS 4.0 score and vector
- Severity classification
- Technical description
- Proof of concept (with screenshots/evidence)
- Business impact assessment
- Root cause analysis
- Specific remediation guidance
- Code-level fix where applicable (white box engagements)
d. Findings prioritized by CVSS score
e. Exploit chain analysis (where applicable)
f. Summary of out-of-scope findings if any occurred
g. Appendices: tool output, raw scan data (optional)
10.2 Report Delivery
Format: [PDF / Encrypted PDF / Secure portal]
Timeline: Within [5/7/10] business days of testing window close
Recipient: [Named individuals who receive the report]
Delivery method: [Encrypted email / Secure upload / In-person]
10.3 Interim Communication
Critical findings (CVSS 9.0+):
Notification within: [4 hours / 24 hours] of confirmation
Method: Phone + encrypted email
High findings (CVSS 7.0-8.9):
Notification within: [24 hours / 48 hours] of confirmation
Method: Encrypted email
═══════════════════════════════════════════════════════════════
SECTION 11: INDEMNIFICATION AND LIABILITY
═══════════════════════════════════════════════════════════════
11.1 Client Indemnification
The Authorizing Organization agrees to indemnify, defend, and hold
harmless the Penetration Testing Firm and its authorized personnel
from any claims, damages, or proceedings arising from:
a. Testing activities within the authorized scope using permitted techniques
b. Third-party claims arising from the discovery of vulnerabilities
c. Law enforcement inquiries related to authorized testing activities
11.2 Tester Responsibility
The Penetration Testing Firm is responsible for:
a. Testing activities outside the authorized scope
b. Use of explicitly prohibited techniques
c. Negligent damage to production systems
d. Unauthorized disclosure of findings
e. Data retention beyond permitted periods
11.3 Limitation of Liability
The Penetration Testing Firm's total liability for any claim arising
from this engagement shall not exceed [the engagement fee / $X / the
amount of the firm's applicable professional liability insurance].
Neither party is liable for indirect, consequential, or punitive
damages regardless of the basis of the claim.
═══════════════════════════════════════════════════════════════
SECTION 12: GOVERNING LAW
═══════════════════════════════════════════════════════════════
This authorization letter and any disputes arising from or related
to the engagement described herein shall be governed by the laws of
[STATE/COUNTRY], without regard to conflicts of law provisions.
═══════════════════════════════════════════════════════════════
SECTION 13: SIGNATURES
═══════════════════════════════════════════════════════════════
AUTHORIZING ORGANIZATION:
Signature: _______________________ Date: ___________
Printed Name: _______________________
Title: _______________________
[Co-signer if required:]
Part 8: Special Circumstances: When Standard Letters Aren't Enough
Red Team Engagements
Red team engagements involve a restricted knowledge model — only specific individuals know the test is occurring. This creates complications for the authorization letter:
RED TEAM AUTHORIZATION SPECIAL PROVISIONS:
Standard authorization letters are known to the IT and security team.
Red team engagements require that only specific individuals know:
KNOWLEDGE COMPARTMENTALIZATION:
Individuals who know the engagement is occurring:
□ [Executive Sponsor — CEO/Board member]
□ [Legal Counsel]
□ [CISO — if not part of the "blue team" being tested]
Individuals who must NOT know (to ensure realistic testing):
□ SOC analysts
□ IT security team
□ System administrators
□ Help desk
WHAT THIS MEANS FOR THE AUTHORIZATION LETTER:
1. The letter must be signed by someone with authority who is NOT
in the group being tested
2. A "get out of jail free" card is provided to each red team member
containing contact info for the Executive Sponsor ONLY
3. The code word system must be known only to Executive Sponsor
(NOT to IT security team who would be "blue team")
4. A sealed envelope with full authorization details may be held
by Legal Counsel, opened only if legal issue arises
HANDLING BLUE TEAM RESPONSE:
If the blue team detects and responds to red team activity:
□ Define whether red team should "break character" if caught
□ Define the escalation path if blue team escalates to law enforcement
□ Define what happens if the blue team actually prevents red team success
GET OUT OF JAIL FREE CARD (Physical card given to each tester):
────────────────────────────────────────────────────────────
AUTHORIZED SECURITY ASSESSMENT
The individual presenting this card is conducting an authorized
penetration test / red team engagement on behalf of [Organization Name].
For immediate verification, contact:
[Executive Sponsor Name]: [24/7 Phone Number]
Code Word: [SAFE WORD]
Engagement Reference: [ENGAGEMENT-ID]
RED TEAM AUTHORIZATION SPECIAL PROVISIONS:
Standard authorization letters are known to the IT and security team.
Red team engagements require that only specific individuals know:
KNOWLEDGE COMPARTMENTALIZATION:
Individuals who know the engagement is occurring:
□ [Executive Sponsor — CEO/Board member]
□ [Legal Counsel]
□ [CISO — if not part of the "blue team" being tested]
Individuals who must NOT know (to ensure realistic testing):
□ SOC analysts
□ IT security team
□ System administrators
□ Help desk
WHAT THIS MEANS FOR THE AUTHORIZATION LETTER:
1. The letter must be signed by someone with authority who is NOT
in the group being tested
2. A "get out of jail free" card is provided to each red team member
containing contact info for the Executive Sponsor ONLY
3. The code word system must be known only to Executive Sponsor
(NOT to IT security team who would be "blue team")
4. A sealed envelope with full authorization details may be held
by Legal Counsel, opened only if legal issue arises
HANDLING BLUE TEAM RESPONSE:
If the blue team detects and responds to red team activity:
□ Define whether red team should "break character" if caught
□ Define the escalation path if blue team escalates to law enforcement
□ Define what happens if the blue team actually prevents red team success
GET OUT OF JAIL FREE CARD (Physical card given to each tester):
────────────────────────────────────────────────────────────
AUTHORIZED SECURITY ASSESSMENT
The individual presenting this card is conducting an authorized
penetration test / red team engagement on behalf of [Organization Name].
For immediate verification, contact:
[Executive Sponsor Name]: [24/7 Phone Number]
Code Word: [SAFE WORD]
Engagement Reference: [ENGAGEMENT-ID]
RED TEAM AUTHORIZATION SPECIAL PROVISIONS:
Standard authorization letters are known to the IT and security team.
Red team engagements require that only specific individuals know:
KNOWLEDGE COMPARTMENTALIZATION:
Individuals who know the engagement is occurring:
□ [Executive Sponsor — CEO/Board member]
□ [Legal Counsel]
□ [CISO — if not part of the "blue team" being tested]
Individuals who must NOT know (to ensure realistic testing):
□ SOC analysts
□ IT security team
□ System administrators
□ Help desk
WHAT THIS MEANS FOR THE AUTHORIZATION LETTER:
1. The letter must be signed by someone with authority who is NOT
in the group being tested
2. A "get out of jail free" card is provided to each red team member
containing contact info for the Executive Sponsor ONLY
3. The code word system must be known only to Executive Sponsor
(NOT to IT security team who would be "blue team")
4. A sealed envelope with full authorization details may be held
by Legal Counsel, opened only if legal issue arises
HANDLING BLUE TEAM RESPONSE:
If the blue team detects and responds to red team activity:
□ Define whether red team should "break character" if caught
□ Define the escalation path if blue team escalates to law enforcement
□ Define what happens if the blue team actually prevents red team success
GET OUT OF JAIL FREE CARD (Physical card given to each tester):
────────────────────────────────────────────────────────────
AUTHORIZED SECURITY ASSESSMENT
The individual presenting this card is conducting an authorized
penetration test / red team engagement on behalf of [Organization Name].
For immediate verification, contact:
[Executive Sponsor Name]: [24/7 Phone Number]
Code Word: [SAFE WORD]
Engagement Reference: [ENGAGEMENT-ID]
Supply Chain and Third-Party Testing
When the organization wants to test systems operated by its vendors or supply chain partners:
THIRD-PARTY SYSTEM TESTING AUTHORIZATION:
Scenario: Organization A wants to test the security of its critical vendor,
Vendor B, because Vendor B has access to Organization A's data.
LEGAL REALITY:
Organization A cannot authorize testing of Vendor B's systems.
Only Vendor B can authorize testing of Vendor B's systems.
Organization A can CONTRACT with Vendor B to require testing as
part of the vendor agreement, but that contract right is not
the same as the authorization letter.
CORRECT APPROACH:
Option 1: Organization A contracts Vendor B to engage a testing firm
- Vendor B signs the authorization letter as the authorizing party
- Organization A is named as the contracting/funding party
- Testing firm is authorized by Vendor B for Vendor B's systems
Option 2: Organization A hires the testing firm, Vendor B provides authorization
- Testing firm is engaged by Organization A
- Vendor B signs a separate authorization letter for their systems
- The letter acknowledges Organization A as the contracting party
- Both letters travel with the testing team
AUTHORIZATION LETTER LANGUAGE FOR VENDOR TESTING:
"This authorization is granted by [Vendor Name] ("Vendor") as the owner
and operator of the systems listed in Section 3. [Organization Name]
("Client") has contracted for this assessment as part of its vendor
security program under [Contract Reference]
THIRD-PARTY SYSTEM TESTING AUTHORIZATION:
Scenario: Organization A wants to test the security of its critical vendor,
Vendor B, because Vendor B has access to Organization A's data.
LEGAL REALITY:
Organization A cannot authorize testing of Vendor B's systems.
Only Vendor B can authorize testing of Vendor B's systems.
Organization A can CONTRACT with Vendor B to require testing as
part of the vendor agreement, but that contract right is not
the same as the authorization letter.
CORRECT APPROACH:
Option 1: Organization A contracts Vendor B to engage a testing firm
- Vendor B signs the authorization letter as the authorizing party
- Organization A is named as the contracting/funding party
- Testing firm is authorized by Vendor B for Vendor B's systems
Option 2: Organization A hires the testing firm, Vendor B provides authorization
- Testing firm is engaged by Organization A
- Vendor B signs a separate authorization letter for their systems
- The letter acknowledges Organization A as the contracting party
- Both letters travel with the testing team
AUTHORIZATION LETTER LANGUAGE FOR VENDOR TESTING:
"This authorization is granted by [Vendor Name] ("Vendor") as the owner
and operator of the systems listed in Section 3. [Organization Name]
("Client") has contracted for this assessment as part of its vendor
security program under [Contract Reference]
THIRD-PARTY SYSTEM TESTING AUTHORIZATION:
Scenario: Organization A wants to test the security of its critical vendor,
Vendor B, because Vendor B has access to Organization A's data.
LEGAL REALITY:
Organization A cannot authorize testing of Vendor B's systems.
Only Vendor B can authorize testing of Vendor B's systems.
Organization A can CONTRACT with Vendor B to require testing as
part of the vendor agreement, but that contract right is not
the same as the authorization letter.
CORRECT APPROACH:
Option 1: Organization A contracts Vendor B to engage a testing firm
- Vendor B signs the authorization letter as the authorizing party
- Organization A is named as the contracting/funding party
- Testing firm is authorized by Vendor B for Vendor B's systems
Option 2: Organization A hires the testing firm, Vendor B provides authorization
- Testing firm is engaged by Organization A
- Vendor B signs a separate authorization letter for their systems
- The letter acknowledges Organization A as the contracting party
- Both letters travel with the testing team
AUTHORIZATION LETTER LANGUAGE FOR VENDOR TESTING:
"This authorization is granted by [Vendor Name] ("Vendor") as the owner
and operator of the systems listed in Section 3. [Organization Name]
("Client") has contracted for this assessment as part of its vendor
security program under [Contract Reference]
Government and Regulated Industry Special Requirements
Part 9: Common Authorization Letter Mistakes and How to Avoid Them
The Ten Most Common Mistakes
Mistake
Why It's Dangerous
The Correct Approach
Verbal authorization only
Provides zero legal protection
Always get written authorization before any testing begins
Signing authority too low
IT manager cannot legally authorize
Require C-suite or delegated authority confirmation
No named individuals
Anyone at the firm could claim authorization
List every authorized tester by full legal name
Vague scope ("our systems")
Any system claimed is "ours"
Enumerate specific IPs, hostnames, URLs, account IDs
No out-of-scope list
Adjacent systems get tested
Explicitly exclude everything not in scope
Cloud provider notification omitted
Violates cloud ToS, potential account suspension
Check and document provider requirements before testing
No emergency procedures
Disruptions become crises
Define escalation path for every scenario
No data handling provisions
GDPR/regulatory exposure
Explicit provisions for each data category encountered
Open-ended testing window
Tester can return indefinitely
Hard start and end dates with extension procedure
No copy carried by testers
Law enforcement encounters become crises
Every tester carries a physical copy
The Document Nobody Reads Until They Need It Desperately
The penetration test authorization letter is the document that nobody reads carefully during normal operations and everyone reads desperately when something goes wrong — when law enforcement shows up, when a service goes down during testing, when a tester accidentally accesses a system that shouldn't have been in scope, when a client disputes what was authorized.
At that moment — when the authorization letter is needed most — there are exactly two outcomes: the document is clear, specific, and complete, and the situation resolves quickly in everyone's favor; or the document is vague, incomplete, or absent, and lawyers get involved.
The difference between those two outcomes is the quality of the work done before testing began. Specific scope definitions, named individuals, signed by actual authority, cloud providers notified, emergency procedures defined, data handling addressed. None of this is difficult. None of it is expensive. All of it is the kind of preparation that separates professional security testing engagements from the ones that generate cautionary stories.
CodeAnt AI provides engagement documentation — including a complete authorization letter package — as a standard part of every penetration testing engagement. The letter is reviewed by the client's legal team before signing, cloud provider notifications are handled as part of engagement setup, and emergency contacts are verified as reachable before the first test packet is sent.
The engagement doesn't start until the paperwork is right. That's not bureaucracy — it's the foundation that makes everything else in the engagement meaningful.
